Changes between Version 58 and Version 59 of doc/HTTPSEverywhere/SSLObservatorySubmission


Ignore:
Timestamp:
Jun 11, 2011, 9:10:40 PM (6 years ago)
Author:
karsten
Comment:

Fix internal wiki link

Legend:

Unmodified
Added
Removed
Modified
  • doc/HTTPSEverywhere/SSLObservatorySubmission

    v58 v59  
    1010To prevent submission of private infrastructure certificates, the client also maintains a list of fingerprints of the superset of root CAs trusted by all versions of Firefox, as well as popular 3rd party CAs such as CACert. If a certificate chain is rooted in a CA not in this set, it is assumed to be private, and the certificates it signs are not submitted. Additionally, if the browser detects that the domain in question had resolved to an RFC1918 IP, the certificate would not be submitted by default. (XXX: Should this resolution be done over Tor, or should it always be done using the user's current local proxy settings/local resolver? The latter leaves them open to an MITM attack by someone who owns their router, but the former leaks potentially private DNS names to tor exits).
    1111
    12 The certificate is POSTed to https://observatory.eff.org/submit_cert. The EFF also runs a Tor [https://trac.torproject.org/projects/tor/wiki/doc/TheOnionRouter/ExitEnclave Exit Enclave] on this host, which prevents certain circuit activity correlation attacks against Tor.
     12The certificate is POSTed to https://observatory.eff.org/submit_cert. The EFF also runs a Tor [wiki:doc/ExitEnclave Exit Enclave] on this host, which prevents certain circuit activity correlation attacks against Tor.
    1313
    1414= Client UI and configuration Variables =